eap_sim_anonymous_username() gets called with an argument that is not a
null terminated C string and as such, os_strrchr() and os_strlen()
cannot be used with it. The previous implementation resulted in use of
uninitialized values and a potential read beyond the end of the buffer.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32277
Fixes: 73d9891bd7 ("EAP-SIM/AKA peer: Support decorated anonymous identity prefix")
Signed-off-by: Jouni Malinen <j@w1.fi>
It is possible to receive the Configuration Request frame before having
seen TX status for the Authentication Confirm. In that sequence, the
DPP-AUTH-SUCCESS event would not be indicated before processing the
configuration step and that could confuse upper layers that follow the
details of the DPP exchange. As a workaround, indicate DPP-AUTH-SUCCESS
when receiving the Configuration Request since the Enrollee/Responser
has clearly receive the Authentication Confirm even if the TX status for
it has not been received.
This was already done in wpa_supplicant in commit 422e73d623 ("DPP:
Indicate authentication success on ConfReqRX if needed") and matching
changes are now added to hostapd.
Signed-off-by: Jouni Malinen <j@w1.fi>
Need to get EAP state machine into a state where it is willing to
proceed with a new EAP-Request/Identity if PMKSA cache addition fails
after a successful EAP authentication before the initial 4-way handshake
can be completed.
Signed-off-by: Jouni Malinen <j@w1.fi>
The waiting_conn_status_result flag was not set which made hostapd
discard the Connection Status Result. Fix this to match the
wpa_supplicant implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add minimal testing for airtime policy configuration. mac80211_hwsim
does not actually support this functionality, so this is just for
testing coverage of src/ap/airtime_policy.c.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a new testing parameter to allow airtime policy implementation to be
tested for more coverage even without kernel driver support.
Signed-off-by: Jouni Malinen <j@w1.fi>
It is better to be able to determine whether the airtime weight
configuration for a STA actually was accepted by the driver or not.
Signed-off-by: Jouni Malinen <j@w1.fi>
The firmware sends new reason codes to indicate TWT teardown due to
single channel and multi channel concurrency. Update the enum
qca_wlan_vendor_twt_status to represent new reason code.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Dump pending monitor interface messages between each roaming step to
make the test log easier to understand and hostapd wait for the new
connection more robust by ensuring that the processed event if for the
very last reassociation. It looks like at least ap_ft_vlan_over_ds_many
could fail due to the connectivity check being started before the final
roam had been completed on the AP side even though there was an explicit
hapd2ap.wait_sta() wait before the test.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
APs PMF capabilities can differ. wpa_supplicant should be able to
disable and enable MBO when roaming to and from a misbehaving MBO AP
that doesn't support PMF. Verify that this is indeed happening.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
gcc-10 seems to be inlining eap_eke_prf() and eap_eke_prfplus() which
breaks this test case due to a different backtrace being generated for
triggering the local failures. Point to the functions called by those
instead of these two functions to get this working with both gcc-9 and
gcc-10.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Hide /usr/share/wireshark from hostfs to prevent tshark from loading all
the data from there since that can take significant amount of time and
is not really needed for the test cases. In addition, set HOME to point
to local tmpfs to avoid unnecessary references through hostfs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new wpa_supplicant control interface command "PASN_DEAUTH
bssid=<BSSID>" can now be used to flush the local PTKSA cache for the
specified BSS and to notify the AP to request it to drop its PTKSA as
well.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
To allow for a PASN station to deauthenticate from an AP to clear any
PTKSA cache entry for it, extend the nl80211 interface to allow sending
a Deauthentication frame with off channel enabled.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
When a Deauthentication frame is received, clear the corresponding PTKSA
cache entry for the given station, to invalidate previous PTK
information.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The anti-clogging code was under CONFIG_SAE. Change this so it can be
used both with CONFIG_SAE and CONFIG_PASN.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
PASN authentication mandates support for comeback flow, which
among others can be used for anti-clogging purposes.
As the SAE support for anti clogging can also be used for PASN,
start modifying the source code so the anti clogging support
can be used for both SAE and PASN.
As a start, rename some variables/functions etc. so that they would not
be SAE specific. The configuration variable is also renamed, but the old
version remains available for backwards compatibility.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
For testing purposes, add support for corrupting the MIC in PASN
Authentication frames for both wpa_supplicant and hostapd.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
When a public key is included in the PASN Parameters element, it should
be encoded using the RFC 5480 conventions, and thus the first octet of
the Ephemeral Public Key field should indicate whether the public key is
compressed and the actual key part starts from the second octet.
Fix the implementation to properly adhere to the convention
requirements for both wpa_supplicant and hostapd.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
As defined in IEEE P802.11az/D3.0, 12.12.3.2 for the second PASN frame.
This was previously covered only for the case when the explicit PMKSA
was provided to the helper function. Extend that to cover the PMKID from
SAE/FILS authentication cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
When ERP initialization was moved from the METHOD state to the SUCCESS
state, the conditions for checking against EAP state being cleared was
missed. The METHOD state verified that sm->m is not NULL while the
SUCCESS state did not have such a check. This opened a window for a race
condition where processing of deauthentication event and EAPOL RX events
could end up delivering an EAP-Success to the EAP peer state machine
after the state had been cleared. This issue has now been worked around
in another manner, but the root cause for this regression should be
fixed as well.
Check that the EAP state machine is properly configured before trying to
initialize ERP in the SUCCESS state.
Fixes: 2a71673e27 ("ERP: Derive ERP key only after successful EAP authentication")
Signed-off-by: Jouni Malinen <j@w1.fi>
These parameters were already defined in struct hostapd_data, but there
was no way of setting them. Add these to hostapd control interface
similarly to the wpa_supplicant implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
The highest supported TLS version for pre_master_secret needs to be
limited based on the local configuration for the case where the highest
version number is being explicitly disabled. Without this, the server
would likely detect a downgrade attack.
Signed-off-by: Jouni Malinen <j@w1.fi>
Even though the STA in this test case does not actually use SAE, it
needs to recognize the "SAE H2E only "BSS membership selector.
Signed-off-by: Jouni Malinen <j@w1.fi>